Saturday, June 18, 2011

Color vulnerable to simple GPS hack, lets you spy on anyone, anywhere

Color, the $41-million-in-funding location-oriented photo sharing startup, is susceptible to simple GPS spoofing. With nothing more than a jailbroken iPad or iPhone, you can use FakeLocation to trick Color into thinking you're somewhere else. Within seconds you can be browsing photos that were snapped thousands of miles away. With a little digging, you can pore through photos not intended for your eyes.

Of course, such a hack isn't illegal as such -- every photo you take with Color is public. With FakeLocation you are simply circumventing Color's very limited location-oriented security mechanism. It does undermine Color's usefulness (and uniqueness), though -- if nefarious types can sit in their bedroom or basement and eavesdrop on classy dinner parties and wild night club soirees, people might be less inclined to share personal photos with those around them.

Fortunately, both for Color and its users, this is an easy security hole to plug -- at least in the short term. The app (or server-side) code simply checks to see if the user has 'teleported' an impossibly large distance, without any intermediate steps in between. In the long term, though, Color's users must be aware that its social graph is completely public. Color's users must realize that every photo they upload is visible by anyone, from any place.

After the break, just to elucidate a little on Color's actual business model and ultimate intention, we have two amazing quotes from Bill Nguyen, Color's founder.